A fresh install of W2K on older laptop. Half way through updating the installation (meaning a few at a time), Zonealarm started warning that Services.exe is trying to access the internet. Denying the access leaves me with an error page when I try to access the internet. I allowed access so that I could finish all the updating.

This annoys me and I don't know what to do. Should I tell ZA to permanently allow services.exe to access the Internet? The IP address is not the same every time. What's going on here?

If this is a fresh install, the chances of infection are small. I think you are fine. You can post a log if you like. Have you checked to see if the IP address it is sending to corresponds to what you are doing?

Services.exe is a catch-all...and is often related to auto-updaters and updaters in general.

Check the IPs, like classicsoftware said.

I took notes of the IP addresses, but it's at home. I'll post those later. Meanwhile, searching for services.exe on my C drive showed the following. My newbie eyes are not comfortable with the results, but I would like your eagle-eye opinion if that shows some infection.

Thanks a bunch for the replies.

http://i21.tinypic.com/2mq9b95.jpg

The screenshot below was taken within a Win2000Pro environment, "Process Explorer" window.
Notice the Windows "system" has running under it "services.exe" ["C:\WINNT\system32\SERVICES.EXE"] which then has many processes running under it in turn.
I guess that if any one of those processes running under "services.exe" were to attempt to connect to somewhere out on the web, "services.exe" would be the Windows component that would do it for them, which would all be quite normal.

Notice the Windows "system" has running under it "services.exe" ["C:\WINNT\system32\SERVICES.EXE"] which then has many processes running under it in turn.

I understand, and I do have services.exe under C:\WINNT\system32\

But why is services.exe in 3 other locations? Is it normal? Not according to some reading I did on the net.

Have you checked to see if the IP address it is sending to corresponds to what you are doing?

The very most frequent IP address that services.exe is trying to access is:
24.205.1.14: DNS
I don't know what this is.
The only place on the Internet that I have been to is Windows Update website. Nowhere else.

Thanks for any pointers and clarifications .. HomeSA

Is your ISP Charter, by any chance?


There are many reasons why an ISP will be contacted by something running...one of the main ones is DNS. An updater will usually make a DNS query...which may not be handled through a browser so it would show up, most likely under the catch all 'services'...also, if you have the time service running, etc.

To get a clearer picture, we will need more details. The log file classic asked for, a shot of Process explorer like Sylvander, etc...

Two of the other locations, the dllcache and ServicePackFiles are both legit locations...as they are where XP places the 'backup' copies of system files when you run updates.

The third location may or may not be legit...but at this point it is hard to say.

Is your ISP Charter, by any chance?

To get a clearer picture, we will need more details. The log file classic asked for, a shot of Process explorer like Sylvander, etc...


Yes, my ISP is Charter Comm.

I am not sure what log file Classicsoftware is asking for. Is it HJT?
Do I need to install this thing called process explorer, or is it in W2K (Where?)

"Do I need to install this thing called process explorer, or is it in W2K"
The FREE Process Explorer v11.02 (http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx)
Doesn't come as part of Win2000; must be installed, and is worth doing so.

Yes, a HijackThis log...

Hello Sylvander;
Thanks for the link.
Is the pic below what you were looking for?

http://i24.tinypic.com/2urt1t3.jpg

I have a dilemma. Being in the wrong subforum, posting HJT log is a "shouldn't do." Then again, starting a new thread is a "shouldn't do" also. I think the first trumps the second. So here it goes. I hope the mods won't get angry with me and will move the thread if that is necessary.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:43:03 AM, on 10/4/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/2Q00CPT/0409/bF8.asp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191244746652
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 3972 bytes

An HJT log is a diagnostic tool, as such if you are asked for one, in an ongoing thread, then don't worry about posting it, in any subforum. IF you are posting one to start a thread or looking initially for infection combat help, then yes it goes to the 'other' place...;)

You are most likely clean...with all the Symantec things running, I wouldn't be surprised that you are getting a huge amount of outgoing requests. On a fresh install, everything and its brother are wanting to update, and Symantec products are somewhat notorious for their updating abilities.

There are probably other things you can do...

Are you going to network the laptop or leave it as a stand-alone? Is it going to be wireless?

Two of the other locations, the dllcache and ServicePackFiles are both legit locations...as they are where XP places the 'backup' copies of system files when you run updates.

The third location may or may not be legit...but at this point it is hard to say.

With the posted info, can we still not tell what is up with that last location of the services.exe? Below is a screen shot of the properties for that location. It seems safe. No ???

http://i24.tinypic.com/65suie.jpg

Is your ISP Charter, by any chance?

I don’t know how in the world you could figure that out, but then again, that’s why you are a moderator here. I take it I can safely allow permanent access to that IP.
Here is another IP location that keeps showing up. What is this one?
66.215.64.14: DNS

There are probably other things you can do...

Are you going to network the laptop or leave it as a stand-alone? Is it going to be wireless?

mjc, what other things can I do? I am not following you.

The laptop will serve as a digital library, carrying my reading stuff around, on trips, to parks, in my backyard, etc, just to read. That is if I can find inexpensive battery replacements for it. It will also serve as temporary storage for downloading pictures from my digital camera, when on long trips.

Right now it is connected to the Internet via a wired connection to my router. I have bought a wireless card (Netgear WG511T) for trips, to stay connected, i.e., email and surfing.
The specs are: P3, 1.2GHz, 524 MB (PC133) RAM, 16 MB ATI video, 12” screen, 30 GB HD

mjc, et al, thanks a ton for following my thread.

That second one is also Charter...

As for other things. If you aren't going to keep it connected all the time you could just have ZA stop all traffic and configure it to NOT pop up warnings all the time.

Switch as much as possible over to manual updates...

And if it is going to be connected less than once every two or three days...get rid of Symantec...and use a lighter weight AV (just AV, if you are running ZA on it you don't need another suite to do everything...). Because the scan/update cycle for Symantec is going to kill the machine for about the first hour it is on, after being disconnected from the network for a couple of days.

Plus, I'm sure that a couple of other suggestions will come along...;)